CMMC MP.2.120 - Limit Access to CUI on System Media

CMMC MP.2.120 - Limit Access to CUI on System Media

Requirement text: MP.2.120: Limit access to CUI on system media to authorized users.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Access can be limited by physically controlling system media and secure storage areas.
Physically controlling system media includes conducting inventories, ensuring procedures
are in place to allow individuals to check out and return system media to the media library,
and maintaining accountability for all stored media. Secure storage includes a locked
drawer, desk, or cabinet, or a controlled media library.

CMMC CLARIFICATION
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled
storage areas and limit access to only those allowed to access CUI. Keep track of who
accesses physical CUI in some sort of record.

Example
Your organization has CUI for a specific Army contract. The Army gave you the CUI on a CD.
You store the CD in a locked drawer. The only employees with access to the drawer are those
assigned to the project. They are the only people allowed to access CUI. When someone
removes the CD for work, they sign it out with their name and time. When they return the
CD to the locked drawer, they sign it back in.

References
• NIST SP 800-171 Rev 1 3.8.2
• CIS Controls v7.1 14.6
• NIST CSF v1.1 PR.PT-2
• CERT RMM v1.2 MON:SG2.SP4
• NIST SP 800-53 Rev 4 MP-2

    • Related Articles

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...

    • CMMC MP.2.119 - Protect System Media Containing CUI

      Requirement text: MP.2.119: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System media includes digital and non-digital media. Digital media ...

    • Media Protection: SP 800-171 Security Family 3.8

      Media protection is a requirement that addresses the defense of system media, which can be described as both digital and non-digital. Examples of digital media include: diskettes, magnetic tapes, external/removable hard disk drives, flash drives, ...

    • CMMC MP.3.124 - Control Access to Media containing CUI during Transport

      Requirement text: MP.3.124: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Controlled areas are areas or spaces for which ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...